CVE-2023-36391
📋 TL;DR
CVE-2023-36391 is a local privilege escalation vulnerability in Windows Local Security Authority Subsystem Service (LSASS) that allows authenticated attackers to gain SYSTEM privileges. This affects Windows systems where an attacker already has local user access. The vulnerability enables elevation from standard user to administrator/SYSTEM level access.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full SYSTEM privileges on the compromised host, enabling complete control, credential theft, persistence establishment, and lateral movement capabilities.
Likely Case
Malicious insider or compromised user account escalates to administrator privileges to install malware, steal credentials, or bypass security controls.
If Mitigated
With proper patch management and least privilege principles, impact is limited to isolated systems with no lateral movement opportunities.
🎯 Exploit Status
Exploit requires local authenticated access. Public proof-of-concept code exists. Similar LSASS vulnerabilities have been weaponized in past attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2023 security updates (KB5031356 for Windows 10, KB5031354 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36391
Restart Required: Yes
Instructions:
1. Apply October 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS, SCCM, or Intune. 3. Restart affected systems to complete installation.
🔧 Temporary Workarounds
Restrict LSASS access
windowsApply LSASS protection policies to limit access to LSASS process memory
Enable Windows Defender Credential Guard via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
Configure LSA Protection: reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 1
🧯 If You Can't Patch
- Implement strict least privilege principles - ensure users don't have unnecessary local admin rights
- Enable Windows Defender Credential Guard and LSA protection to harden LSASS
🔍 How to Verify
Check if Vulnerable:
Check Windows version and update level: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix(s)"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify October 2023 security updates are installed: wmic qfe list | findstr "KB5031356 KB5031354 KB5031361 KB5031362"📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 with LSASS process creation anomalies
- Unexpected LSASS memory access attempts in Sysmon Event ID 10
- Privilege escalation events in Windows logs
Network Indicators:
- Not network exploitable - focus on host-based detection
SIEM Query:
source="WinEventLog:Security" EventID=4688 NewProcessName="*lsass.exe*" | stats count by Computer, SubjectUserName, ProcessCommandLine